The massive presence of unprotected IoT devices is providing many opportunities for malicious threat actors. Most of these devices are plug-and-play and do not require any kind of configuration, making security optional.
In fact, manufacturers ship the devices with default passwords that are publicly known, providing easy access to the configuration panel for new users. If such passwords are not replaced with new, strong ones, they provide the first entry vector used by attackers.
Attackers who compromise a high number of IoT devices usually create botnets to trigger DDoS (distributed denial-of-service) attacks with the goal of disabling systems for hacktivism or financial gain.
Our team of security researchers at Nozomi Networks Labs analyzed several variants of the IoT botnet dubbed Dark Nexus. It is a new IoT botnet that has come to prominence in the last few months and its capabilities have been thoroughly discussed by Bitdefender researchers. 
We analyzed its network behavior, which we describe in this post, and provide a detection signature to help protect IoT, OT and IT networks.
Dark Nexus is an IoT botnet that uses DDoS attacks for financial gain. Nozomi Networks security researchers have analyzed its network behavior and provided a detection signature.
IoT Botnet Dark Nexus: Three Categories of Network Activity
The Dark Nexus bot leaves a hefty network trail that can be broadly divided into three categories:
- C&C (command and control) communication
- DDoS attacks
Though self-propagation and DDoS attacks could be a single category, their final goals are very different, so we prefer to analyze them separately. To properly commandeer the bot in our lab, we wrote a replacement for the C&C server that allowed us to trigger network activity in a controlled manner.
While the bot carefully analyzes the system it is executing in, and kills suspicious processes that might hinder its activities, the most delicate section remains the network parsing code. This is a critical feature for a botnet, since a bug in this area might lead to catastrophic consequences for the threat actor. The botnet itself could become vulnerable to DDos attacks or be completely taken over by a different hacking group.
We analyzed each of the three categories of Dark Nexus’ activity.
C&C Communication Aims to Download Latest Version
Once a device is infected, it performs a GET request to retrieve its IP:
GET / HTTP/1.1
It then goes on to send a registration message to the C&C server in the following format:
\x10[first_argument] \x11[architecture] \x12[version] \x13[reverse proxy random port] \x14[socks proxy random port]
In the example shown above, the 6.6 version of the malicious binary was executed with argv set to “new_vector”, running on an ARM7 CPU. A question mark character is sent if no arguments are provided. The binary randomly chose port 52750 to run its reverse proxy and port 50999 to run a SOCKS proxy.
The following Snort rule can be used by everyone in the security community to detect such traffic:
# Created by Nozomi Networks Labs
alert tcp any any -> any 30047 (msg:"Detected dark_nexus Botnet CnC Beacon"; flow:established,to_server; content:"|10|"; depth:1; pcre:"/\x11(arm|arm5|arm6|arm7|mips|mpsl|arc|ppc|x86|i586|i686|m68k|sh4|spc)\x12\d+\.\d+\x13\d+\x14\d+$/"; fast_pattern; sid:9000085; metadata:created_at 2020_05_06;)
Furthermore, the binary tries to download new versions of itself for all available architectures to ensure execution of its latest code.
In the first phase of Dark Nexus, the bot communicates with a C&C server and attempts to download and run its latest version. Nozomi Networks Labs has released a free Snort Rule to detect this network activity.
Click to enlarge
Self-propagation Using Telnet, Port 23 and Random IPs
Telnet brute-forcing is a typical method of propagation among IoT botnets. Dark Nexus uses the
get_random_ip function to generate random IPs, making sure to avoid certain IP ranges (invalid, localhost, certain companies). The function is very similar to the
get_random_ip function found in leaked Mirai source code. 
A SYN packet is then sent to the random IP with a destination port of 23. If the telnet service happens to be running and is reachable, a list of stored credentials is used to attempt to login successfully. Most of the stored credentials have been taken from public sources, such as the leaked Mirai source code, but there’s evidence that the author is adding new credentials from one version to another.
From a blue team perspective, the telnet scan capability, as simple as it is, underlines the need to avoid full internet exposure for devices that don’t strictly require it.
Dark Nexus self-propagates by sending Telnet SYN scan traffic to port 23 of random IP addresses.
Click to enlarge
gen_random_ip from dark_nexus decompiled is shown on the left and
gen_random_ip from leaked Mirai source code on the right.
Click to enlarge
DDoS Attacks Use Multiple Functions and Generate Network Traffic
The versions of the malware we examined contained the following attack functions:
Click to enlarge
parse_packetfunction, which is responsible for parsing attack commands received from C&C, resulted in the following message sent from our emulated C&C to the infected host to trigger
msg - attack id
msg - target count
msg - target IP octet 1
msg - target IP octet 2
msg - target IP octet 3
msg - target IP octet 4
msg - target port lsb
msg - target port msb
msg - end marker
Click to enlarge
attack_httpmethod, we had to change the attack_id in the C&C message. As shown below, the HTTP headers were randomized for every request.
Click to enlarge
Securing IoT Devices Requires Safe Visibility
IoT devices have specific peculiarities, such as limited processing power, that make them difficult to monitor. Resource-intensive agents, for example, can cripple their functionality. For this reason, once infected with a bot like Dark Nexus, an IoT device might require a firmware update that restores it to a clean slate in order to function properly.
To secure and properly manage your network, one of the first requirements is to have visibility of all your IoT devices.
There are technologies that automate asset identification in a way that ensures the availability of sensitive IoT assets. Our own product Guardian, for example, uses passive network traffic analysis to identify IoT devices and provide detailed information about each one. It works with our Threat Intelligence service to protect IoT and OT networks from threats such as Dark Nexus.
- Bitdefender.com: New dark_nexus IoT Botnet Puts Others to Shame
- GitHub.com: jgamblin/Mirai-Source-Code
WEBINAR & PODCAST
Duration: 45 minutes
Join us to learn about:
- How IoT botnets work
- Common propagation techniques
- Hacktivism and financial gain
- Strategies to protect networks
- Demo – Dark Nexus real-time execution
- Andrea Carcano, Chief Product Officer
- Alessandro Di Pinto, Security Research Manager
- Ivan Speziale, Security Researcher
Supply Chain and Persistent Ransomware Attacks Reach New Heights
- 7 trends defining today’s threat landscape
- 18 specific threats you need to know about
- Recent vulnerability research and exploitation trends
- 7 types of vulnerabilities under active exploitation
- 10 recommendations for securing OT/IoT networks
Nozomi Networks COVID-19 Security Threat Intel and Community Tools
- Webpage: COVID-19 Malware: Community Support
- GitHub: COVID-19-Themed Network Indicators
- Podcast: The Emerging Threat Intel Landscape: How Hackers Are Using COVID-19
- Blog: COVID-19 (coronavirus) Malware: New OT and IoT Security Tools
Nozomi Networks Solution
Security Research Manager, Nozomi Networks
Alessandro Di Pinto is an Offensive Security Certified Professional (OSCP) with an extensive background in malware analysis, ICS/SCADA security, penetration testing and incident response. He holds GIAC Reverse Engineering Malware (GREM) and GIAC Cyber Threat Intelligence (GCTI) certifications. Alessandro co-authored the research paper “TRITON: The First ICS Cyber Attack on Safety Instrument Systems” and “Analyzing the GreyEnergy Malware: from Maldoc to Backdoor”.